Hi, how can I use Wireshark to see if a particular web site, web app is using HSTS? Thanks asked 17 Feb '17, 05:35  adasko |
2 Answers:
IF you can decrypt the HTTP exchange between server and client, you can check to see if the HSTS header is present in the HTTP response from the server. IF NOT then you can't. answered 17 Feb '17, 08:15  Jaap ♦ |
As Jaap said: If you can decrypt the traffic you will be able to see the HSTS header. If not you can use the Web Developer tools in your browser (available in/for Chrome, Safari, Firefox, Internet Explorer) or you can configure a proxy like Fiddler to see the headers. answered 17 Feb '17, 11:22  Uli |
cURL does it without acting as a proxy and without having to decrypt the payload:
https://www.owasp.org/index.php/Test_HTTP_Strict_Transport_Security_(OTG-CONFIG-007)
cURL does receive the plain text payload though, the library it uses for the TLS connection does the decryption for it.
Wireshark does not originate any connections so do not have access to the key, and hence the plain text payload unless the user provides the keying material.